Debate lingers over federal data-handling laws

As Congress mulls national standards for consumer data protection, business leaders and privacy advocates contest potential risks, benefits of the bills

By Matt Hines

InfoWorld|Apr 3, 2007

Even as the federal government appears poised to create new consumer data protection laws in 2007, businesses and privacy advocates in the United States remain at odds over the parameters of such legislation and its potential impact.

Lawmakers on Capitol Hill are currently reviewing a handful of high-profile bills that seek to place stricter requirements on organizations that collect sensitive consumer information, and establish national guidelines for public disclosure of data breaches.

These bills include the Senate's Notification of Risk to Personal Data Act and PersonalData Privacy and Security Act, as well as the Data Accountability and Trust Act, Social Security Number Protection Act, and Prevention of Fraudulent Access to Phone Records Act -- all of which are under consideration in the House.

As with similar laws that failed to pass through Congress in 2006, the proposed legislation is meant to force organizations to better protect sensitive data and avoid incidents such as the computer systems intrusion recently experienced by discount retailer TJX Companies -- which resulted in the theft of 45.7 million customer records.

However, despite perceptions that many businesses are against stricter data-handling laws, based on their exacting terms and harsh penalties, and the belief that most privacy advocates are staunchly behind the creation of federal legislation, in many cases those positions of support are actually reversed.

Many business leaders say that stronger national information security laws will in fact help them create unified data management policies that cover operations across the entire country, therein making their lives easier.

And perhaps more surprisingly, privacy experts say that the passage of federal data handling legislation could actually end up damaging consumer protection, which they would prefer to see handled by individual states.

At present, companies must deal with a wide range of state laws that govern data management and incident reporting, making the process complex for the many businesses that operate from coast-to-coast.

To remain compliant with all the various state data-handling requirements, companies are forced to spend considerable time examining the minutia of regional laws and tailoring their systems and processes to each, business leaders contend.

To ease the process, some companies have crafted their existing policies around California's Security Breach Information Act -- also known by its bill number, California 1386 -- which was passed in 2003 and remains one of the earliest, and most demanding, data-handling mandates.

By tuning his company's data management operations to California 1386, Pat Lefemine, chief information security officer at Philadelphia-based Lincoln Financial Group, claims he's been able to guide his company over the past several years without a major incident.

The CISO would prefer, however, to see a national bill passed to help ensure that his company -- a massive financial services provider with 10,000 employees and $230 billion in managed assets -- hasn't missed some detail and left itself vulnerable to penalties and public embarrassment.

"We would very much welcome a federal law that supersedes the state laws. Even if they just made 1386 a federal law it would help, because right now you have every state enacting something different," Lefemine said. "The state laws all seem to have minor caveats that create challenges. We need something that is easily defined and understood nationwide to help us move forward."

For instance, if individual states begin requiring vastly different levels of encryption to be applied to consumer data -- a foreseeable possibility -- it would create huge policy and technology management problems for businesses like Lincoln Financial, according to the CISO.

Despite the promises of executives like Lefemine, who say they must protect customer data at all costs to keep their clients from jumping ship, privacy experts maintain that businesses desire a national law because it will be less demanding than the existing state guidelines.

States have always done a better job at protecting the privacy of their residents because they can act more quickly and decisively in creating and enforcing laws, said Ed Mierzwinski, consumer program director at U.S. PIRG, a federation of state public interest research groups.

Some business leaders have the interests of consumers at heart, but most just want to save time and money, the privacy watchdog claims. Mierzwinski also said that any law passed by Congress in 2007 likely will be weaker than the existing state mandates, including California 1386.

"The examples are legion where industry says we need a national uniform law and that they will support one, and then Congress ends up passing a weak law full of exceptions that takes away state activities forever, and it's not worth the price," Mierzwinski said.

The expert said that Boston-based PIRG is currently fighting the passage of the federal bills based on the fact that it views the proposed laws as too soft on industry. If large national companies can afford to market to individual consumers, as they increasingly claim to, they should be able to conform to slightly different laws in each state, he said.

"Industry has a view that tends to overstate the problem. It's shocking to me that they say they can't figure it out when they can slice-and-dice their customer base and target market to individual consumers," Mierzwinski said. "They're saying they can't deal with a maximum of 54 state and territorial laws, which makes no sense. Even if it costs more, they should agree that the benefits are worth it."

Other privacy advocates agree, and pointed to the federal bills that did not pass in 2006, based on many of the same arguments, as proof that a national data protection standard may not benefit consumers in the end.

Pam Dixon, executive director of the nonprofit World Privacy Forum, based in San Diego, observed that those laws wouldn't have measured up to California 1386 by the time they were put up for approval by Congress.

"All the bills morphed a lot, they were really weak and very watered down from their original formats," Dixon said. "In general, this comes down to a very deep government question about whether you want to have national preemption on every law because industry says they can't comply; and this has always been an issue, because as bills go national they get watered down as the lobbying dollars take effect."

Some experts say there is room for both federal and state intervention, as long as states retain sufficient power to enact their own measures.

Lillie Coney, associate director with the Electronic Privacy Information Center (EPIC) in Washington, said that while state laws will be the most important, a national guideline could help provide a baseline of expected consumer protection.

"The states are the best place to figure out what works best, but the feds can set a minimum and still allow states to go further to suit their interests," Coney said. "It will take a lot of hard effort and creativity to come up with policies that work and at the same time don't constrain innovation."